Noob to logstash here, I am trying to do something that I thought would be easy but I am having trouble. I just want to add a field if the syslog_hostname equals a string or ip address. Here is what I have and when i use this logstash will crash.
filter {
if [syslog_hostname] == "10.145.252.1" {
mutate {
add_field => { "vendor", "some_vendor" }
}
}
}
Thanks in advance.
it shout be like
add_field => [ "received_at", "ssss" ]
I did try it with the [ ] instead of the { } and had the same issue. The only way I can modify this to not crash logstash is:
filter {
if [syslog_hostname] == "10.145.252.1" {
mutate {
add_field => [ "vendor", "some_vendor" ]
}
}
}
Unfortunately the filter does not work when I do that. The error I get in my log files when I do have it configured like above is:
Error: Expected one of #, in, not , ==, !=, <=, >=, <, >, =~, !~, and, or, xor, nand, { at line 483, column 26 (byte 11065) after filter {\n if [type] == "syslog" {\n grok {\n match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }\n add_field => [ "received_at", "%{@timestamp}" ]\n add_field => [ "received_from", "%{host}" ]\n }\n date {\n match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]\n }\n\n if [syslog_hostname] ", :level=>:error}
Please show your full configuration.
I found the issue, I had one too many } at the end. Thanks for looking at this guys, I guess I just need to step away from the computer for a few minutes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.